Re: squid 5.0.4 cache_peer bug on https outgoing

openwrt <openwrt.jp@xxxxxxxxx> · Mon, 28 Sep 2020 13:41:16 +0800

Yes, I've tried all of these combinations.
### 0x00 cache_peer no ssl

> ssl_bump allow all
> cache_peer 127.0.0.1 parent 3129 0 【no ssl】

curl http://google.com -x http://admin:squid@localhost:3128 -v  -k   【it is ok】

curl https://google.com -x https://admin:squid@localhost:3128 -v  -k   【Get 502】
curl https://google.com -x http://admin:squid@localhost:3128 -v  -k     【Get 502】

< HTTP/1.1 502 Bad Gateway
< X-Cache: MISS from example.com
< Transfer-Encoding: chunked
< Connection: keep-alive

log json:

{ "clientip": "127.0.0.1", "ident": "-", "uname": "admin", "timestamp": "2020-09-28T04:16:28+0000", "verb": "CONNECT", "request": "google.com:443", "httpversion": "HTTP/1.1", "response": 200, "bytes": 0, "referer": "-", "agent": "curl/7.47.0", "request_status": "HIER_NONE", "hierarchy_status": "HIER_NONE" }
{ "clientip": "127.0.0.1", "ident": "-", "uname": "admin", "timestamp": "2020-09-28T04:16:28+0000", "verb": "GET", "request": "https://google.com/", "httpversion": "HTTP/1.1", "response": 502, "bytes": 117, "referer": "-", "agent": "curl/7.47.0", "request_status": "HIER_NONE", "hierarchy_status": "HIER_NONE" }

### 0x01 cache_peer with ssl

> ssl_bump allow all
> cache_peer 127.0.0.1 parent 3129 0  ssk

curl http://google.com -x http://admin:squid@localhost:3128 -v  -k   【Get 502】
curl https://google.com -x https://admin:squid@localhost:3128 -v  -k   【Get 502】

< HTTP/1.1 503 Service Unavailable
< Server: squid/5.0.4
< Mime-Version: 1.0
< Date: Mon, 28 Sep 2020 04:21:00 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 1649
< X-Squid-Error: ERR_SECURE_CONNECT_FAIL 71

<p>The system returned:</p>
<blockquote id="data">
<pre>(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)</pre>
<p>Handshake with SSL server failed: [No Error]</p>
</blockquote>

### 0x02 how to outgoing https request by cache_peer (on squid 5.0.4/Chains proxy)

Similar features to Charles OR Fiddler. ( open http(s) proxy  on 8080, then capture the request , outgoing on another http(s)/socks4/5 proxy.)

1. Fiddler gateway: https://docs.telerik.com/fiddler-everywhere/user-guide/settings/gateway

curl https://google.com -x http://squid:3128 --> outgoing(cache_peer: like Fiddler gateway) --> google.com:443

The cache_peer should be ignore ssl VERIFY. !!! like other software.

On squid 5.0.4, http is ok, https will get ERR_SECURE_CONNECT_FAIL error.

Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> 于2020年9月28日周一 上午6:48写道：
On 9/27/20 12:07 PM, sec wrote:

> http_port 3128 ssl-bump ...

> curl http://google.com -x https://admin:squid@localhost:3128 -v  -k

The above two lines do not match AFAICT: You tell curl to use an HTTPS

proxy, but you tell Squid to expect plain HTTP proxy requests.

Also, please note that if you fix the above problem by moving "https"

from "-x" to the origin server URL, then you will probably face another

problem:

curl https://google.com -x http://admin:squid@localhost:3128 -v  -k

> ssl_bump allow all

> cache_peer 127.0.0.1 parent 3129 0 ssl

Squid does not (yet) support "TLS inside TLS": Talking TLS with the

origin server through a cache_peer that also expects a TLS connection.

HTH,

Alex.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users